However, you cannot set a PIN. Now if you have the settings in Group Policy to force a PIN this wont add the registry settings until AFTER the TS has completed. Not very useful.
The solution:
Use the built in SCCM Task for Enable BitLocker. Choose TPM only and save the recovery info into AD:
This will enable BitLocker and start encrypting the disk. I have not tested it yet, but I cant see why you couldnt have this straight after the step "Setup windows and ConfigMgr". In theory this would leave you much further in the encryption process by the time the TS ends.
From an encrypted PC you want to export the registry with your settings. Remember to re-do this if you change your BitLocker policy. The registry you want is located here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
With this all at the end of the TS, I add a reboot after the above step. I have had some odd results with the first login without doing this reboot. However if this is at the begining, you will most likely have a reboot somewhere.
Apply the registry you exported above, using a "Command Line", or create a package.
regedit /s <filename.reg>
Ok, so we have encryption enabled, and our registry added. Now we can set a PIN. Add another "Command Line"
manage-bde.exe -protectors -add c: -tp %EnPass%
